1.    15 Feb 2016 #1
    Join Date : Oct 2013
    Posts : 25,786
    64-bit Windows 10 Pro build 17046

    Windows 10 and telemetry: Time for a simple network analysis


    Looking at the right data is the only way to understand what Windows 10 is really doing.

    There's been a lot of discussion recently about the telemetry data that Windows sends back to Microsoft. There's also been a lot of bad data out there, data that can make it easy to draw some of the wrong conclusions.

    When you need data, it pays to use the right tools. And when it comes to network traffic analysis, one of the best tools around is the free Wireshark. Using the WinPcap network drivers, it lets you see every packet that runs through a network adapter - including IPv6 traffic.

    So if we're to get a picture of what data is being sent from a Windows 10 PC to Microsoft's telemetry servers and how frequently, it was the tool I turned to. In order to capture a basic working set of network traffic data, I installed it on a Surface Pro 3 running the current main branch build of Windows 10 Pro. I could use the standard WinPcap drivers, as I was using a docking station - a set of USB WinPcap drivers are available if you're using a USB network card.

    My network is relatively simple: a VDSL FTTC broadband router drops into a gigabit switch, with a mix of domain-joined and workgroup PCs, servers, and notebooks using both wired and wireless connections. That meant much of the traffic would be internal network operations, and I'd need to filter it out from my results. I also shut down as many services and applications as possible; so that I wouldn't drown out any telemetry HTTPS connections using my browser and other Internet and cloud applications. I left Windows 10's core functions running, including OneDrive and Windows Defender.

    In order to get a baseline set of readings, I ran Wireshark initially for around 30 minutes, capturing over 130,000 network transactions. Of those, only 27 were to Microsoft's watson and telecommand servers at telemetry.microsoft.com.nsatc.net. Wireshark is able to calculate reverse DNS names for the IP addresses tracked at your network card, with source and destination information and details of the protocols used.

    You're also able to see the contents of any data delivered to a server, though in the case of Microsoft's Windows 10 telemetry this is encrypted using TLS v1.2, and so there's no way of actually seeing the content of a telemetry packet. However, as the average packet size is just over 3KB, it's clear that when you take into account the encryption overhead very little data is being sent to Microsoft...


    Read more: Windows 10 and telemetry: Time for a simple network analysis | ZDNet
      My ComputersSystem Spec
  2.    15 Feb 2016 #2
    Join Date : Oct 2014
    Posts : 1,555
    W7 32 bit, Linux Mint Xfce 18 64 bit

    Some people in the comment section of the article still don't believe it, this is a freelance journalist.
    Last edited by groze; 15 Feb 2016 at 11:45.
      My ComputerSystem Spec
  3.    15 Feb 2016 #3
    Join Date : Dec 2013
    Portsmouth Hampshire
    Posts : 1,872
    Windows 10 x86 14383 Insider Pro and Core 10240

    However, as the average packet size is just over 3KB, it's clear that when you take into account the encryption overhead very little data is being sent to Microsoft...
    It's amazing what you can glean from "yes" or "no" answers if you ask the right questions
      My ComputersSystem Spec
  4.    15 Feb 2016 #4
    Join Date : Nov 2015
    Posts : 4,891
    windows 10 Home threshold2

    Out of my league.
    Don't have the foggiest what I was reading.
    Should I take the article's words for it ?
    Namely ...............Microsoft is doing just what it says: taking the data it needs to improve PC applications and services.
      My ComputerSystem Spec
  5.    15 Feb 2016 #5
    Join Date : Feb 2014
    Posts : 487

    This one paragraph shows exactly why all articles I've seen so far regarding what data is being sent to Microsoft (both for and against) are entirely baseless.

    You're also able to see the contents of any data delivered to a server, though in the case of Microsoft's Windows 10 telemetry this is encrypted using TLS v1.2, and so there's no way of actually seeing the content of a telemetry packet. However, as the average packet size is just over 3KB, it's clear that when you take into account the encryption overhead very little data is being sent to Microsoft.

    Using the fact Windows is making outbound connections as a reason to suggest something nefarious is going on is total bunk, as making outbound connections is not proof of any wrong doing. On the other hand, using file size as a reason to suggest that there's nothing to worry about is equally total bunk, as text data is small in size. In addition the author also doesn't know the criteria for when data is actually sent.

    The only way to do it properly is to set up network traffic capture to capture everything over an extended period of time and then filter the traffic to show particular parts of the traffic that are of interest. However, the part everyone keeps ignoring is that the network traffic needs to be decrypted so that the person doing the analysis is able see exactly what's being sent and received in the clear. Only then will they know for sure what they are looking at.

    If they are just capturing encrypted traffic, it is a pure guess what that data could be and so a completely useless exercise. So, instead of rushing to publish articles, they first need to man-in-the-middle the encrypted network traffic so that the parts of the capture that are encrypted (which will be everything of any importance going to Microsoft's servers) can all be seen in plain text. There would obviously be nothing preventing Microsoft from encrypting the data separately and then transmitting it also over an encrypted connection, however that bridge can't be crossed until the first bridge is crossed of decrypting and reading all that data being transmitted over the secure connections.
      My ComputerSystem Spec
  6.    17 Feb 2016 #6
    Join Date : Oct 2014
    Posts : 149
    Windows 10 64-bits

    Quote Originally Posted by ARC1020 View Post
    This one paragraph shows exactly why all articles I've seen so far regarding what data is being sent to Microsoft (both for and against) are entirely baseless.

    Using the fact Windows is making outbound connections as a reason to suggest something nefarious is going on is total bunk, as making outbound connections is not proof of any wrong doing. On the other hand, using file size as a reason to suggest that there's nothing to worry about is equally total bunk, as text data is small in size. In addition the author also doesn't know the criteria for when data is actually sent.

    The only way to do it properly is to set up network traffic capture to capture everything over an extended period of time and then filter the traffic to show particular parts of the traffic that are of interest. However, the part everyone keeps ignoring is that the network traffic needs to be decrypted so that the person doing the analysis is able see exactly what's being sent and received in the clear. Only then will they know for sure what they are looking at.

    If they are just capturing encrypted traffic, it is a pure guess what that data could be and so a completely useless exercise. So, instead of rushing to publish articles, they first need to man-in-the-middle the encrypted network traffic so that the parts of the capture that are encrypted (which will be everything of any importance going to Microsoft's servers) can all be seen in plain text. There would obviously be nothing preventing Microsoft from encrypting the data separately and then transmitting it also over an encrypted connection, however that bridge can't be crossed until the first bridge is crossed of decrypting and reading all that data being transmitted over the secure connections.
    Agreed and adding one more thing...

    The limited time frame did not take into account the data transfers that may take place during booting up or shutting down the OS. One could easily say that during the boot up/shut down process there might be a larger data transfer that's not visible for Wireshark. If that's true, then the subsequent data transfers are just updates to the initial, large data transfer. That could be one of the possible explanation for the relatively small data transfers to MS, captured by Wireshark, during the limited time frame.

    Capturing start up/shut down data transfers can easily be done. Run Windows 10 in VMware and capture its network connections with Wireshark, active on the host OS.

    The results in the article would have more credibility, if it accounted for all network communication by the OS.
      My ComputerSystem Spec
  7.    17 Feb 2016 #7

    By this paragraph "You're also able to see the contents of any data delivered to a server, though in the case of Microsoft's Windows 10 telemetry this is encrypted using TLS v1.2, and so there's no way of actually seeing the content of a telemetry packet. However, as the average packet size is just over 3KB, it's clear that when you take into account the encryption overhead very little data is being sent to Microsoft" I feel people are over-reacting and surely there isn't actually a great deal of information being sent.
      My ComputersSystem Spec
  8.    17 Feb 2016 #8
    Join Date : Oct 2014
    Posts : 149
    Windows 10 64-bits

    Quote Originally Posted by swarfega View Post
    By this paragraph "You're also able to see the contents of any data delivered to a server, though in the case of Microsoft's Windows 10 telemetry this is encrypted using TLS v1.2, and so there's no way of actually seeing the content of a telemetry packet. However, as the average packet size is just over 3KB, it's clear that when you take into account the encryption overhead very little data is being sent to Microsoft" I feel people are over-reacting and surely there isn't actually a great deal of information being sent.
    Average is just that, average. Depending on the number of actual packets, the average packet size can be misleading. You could have one large and lots of small packets, could be subsequent updates to the large packet, that still give you average pocket size of 3KBs. The article did not provide the capture file and as such, it's hard to say...
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
How to disable Telemetry and Data Collection in Windows 10
How to disable Telemetry and Data Collection in Windows 10 Windows 10 now comes with the telemetry feature enabled by default which collects all sorts of user activity and sends it to Microsoft. Unfortunately, Microsoft has provided no way to...
General Support
Windows Explorer issues - Help with CBS.log analysis
Hi all, since upgrading from 8.1 Pro to 10 Pro (x64) I have noticed some weird bugs right off the bat - most of them seem related to Windows Explorer. For example, once every couple of hours, when I'm interacting with a folder, it'll start to...
General Support
Any time I restart network adapter "Identifying Network"....
Ever since I updated to windows 10 any time I do a restart my network adapter is stuck on Identifying network. If I do a shut down and cold start it works fine. I cannot figure out what the problem is. When I try to update the driver it tells me...
Network and Sharing
Windows 10 BSOD Analysis
Hello all, Just wondering if there is any fundamental differences between analyzing Windows 10 dumps in comparison to Windows 7/Windows 8 dumps? If there is, is there are link with more information on it or are we kind of at the forefront of...
BSOD Crashes and Debugging
Windows 9: Telemetry data will be near real-time
Read more
Windows 10 News
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 17:19.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums